1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
PublicDateAtUSN: 2014-10-02
Candidate: CVE-2014-7144
PublicDate: 2014-10-02
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7144
https://marc.info/?l=oss-security&m=141095376530829&w=2
http://seclists.org/oss-sec/2014/q3/731
http://lists.openstack.org/pipermail/openstack-announce/2014-September/000281.html
http://www.ubuntu.com/usn/usn-2705-1
Description:
OpenStack keystonemiddleware (formerly python-keystoneclient) 0.x before
0.11.0 and 1.x before 1.2.0 disables certification verification when the
"insecure" option is set in a paste configuration (paste.ini) file
regardless of the value, which allows remote attackers to conduct
man-in-the-middle attacks via a crafted certificate.
Ubuntu-Description:
Notes:
mdeslaur> will not be fixed before 14.10 goes EoL
mdeslaur> upstream patch requires a more recent version of oslo.config
mdeslaur> than what is currently in trusty
Bugs:
https://bugs.launchpad.net/python-keystoneclient/+bug/1353315
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762748 (keystonemiddleware)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=762749 (keystoneclient)
Priority: medium
Discovered-by: Qin Zhao
Assigned-to: mdeslaur
Patches_python-keystonemiddleware:
upstream: https://review.openstack.org/#/c/113191/ (master)
upstream: https://review.openstack.org/gitweb?p=openstack/keystonemiddleware.git;a=commit;h=bc2613e06b7dee3a51191de900d98636181ba130
upstream_python-keystonemiddleware: released (1.0.0-3)
lucid_python-keystonemiddleware: DNE
precise_python-keystonemiddleware: DNE
trusty_python-keystonemiddleware: DNE
utopic_python-keystonemiddleware: ignored (reached end-of-life)
vivid_python-keystonemiddleware: not-affected (1.3.1-0ubuntu2)
devel_python-keystonemiddleware: not-affected (1.3.1-0ubuntu2)
Patches_python-keystoneclient:
upstream: https://review.openstack.org/#/c/112232/ (master)
upstream: https://review.openstack.org/gitweb?p=openstack/python-keystoneclient.git;a=commit;h=dee8bc62d641f633342cfdc37a246916a40b2f33
upstream_python-keystoneclient: released (1:0.10.1-2)
lucid_python-keystoneclient: DNE
precise_python-keystoneclient: not-affected (code not present)
trusty_python-keystoneclient: released (1:0.7.1-ubuntu1.2)
utopic_python-keystoneclient: ignored (reached end-of-life)
vivid_python-keystoneclient: not-affected (1:0.11.2-0ubuntu1)
devel_python-keystoneclient: not-affected (1:0.11.2-0ubuntu1)
|